The Experts below are selected from a list of 4704 Experts worldwide ranked by ideXlab platform
Vinod Ganapathy - One of the best experts on this subject based on the ideXlab platform.
-
ICISS - Reflections on the Self-service Cloud Computing Project
Information Systems Security, 2015Co-Authors: Vinod GanapathyAbstract:Modern cloud computing infrastructures use virtual machine monitors VMMs that often include a large and complex Administrative Domain with privileges to inspect client VM state. Attacks against or misuse of the Administrative Domain can compromise client security and privacy. Moreover, these VMMs provide clients inflexible control over their own VMs, as a result of which clients have to rely on the cloud provider to deploy useful services, such as VM introspection-based security tools. This paper discusses the self-service cloud computing SSC project that addresses these two shortcomings. SSC splits Administrative privileges between a system-wide Domain and per-client Administrative Domains. Each client can manage and perform privileged system tasks on its own VMs, thereby providing flexibility. The system-wide Administrative Domain cannot inspect the code, data or computation of client VMs, thereby ensuring security and privacy. SSC also allows providers and clients to establish mutually trusted services that can check regulatory compliance while respecting client privacy. We have used a prototype implementation of SSC atop the Xen hypervisor to build user Domains to perform privileged tasks such as memory introspection, storage intrusion detection, and anomaly detection.
-
ACM Conference on Computer and Communications Security - Self-service cloud computing
Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12, 2012Co-Authors: Shakeel Butt, Abhinav Srivastava, H. Andrés Lagar-cavilla, Vinod GanapathyAbstract:Modern cloud computing infrastructures use virtual machine monitors (VMMs) that often include a large and complex Administrative Domain with privileges to inspect client VM state. Attacks against or misuse of the Administrative Domain can compromise client security and privacy. Moreover, these VMMs provide clients inflexible control over their own VMs, as a result of which clients have to rely on the cloud provider to deploy useful services, such as VM introspection-based security tools. We introduce a new self-service cloud (SSC) computing model that addresses these two shortcomings. SSC splits Administrative privileges between a system-wide Domain and per-client Administrative Domains. Each client can manage and perform privileged system tasks on its own VMs, thereby providing flexibility. The system-wide Administrative Domain cannot inspect the code, data or computation of client VMs, thereby ensuring security and privacy. SSC also allows providers and clients to establish mutually trusted services that can check regulatory compliance while respecting client privacy. We have implemented SSC by modifying the Xen hypervisor. We demonstrate its utility by building user Domains to perform privileged tasks such as memory introspection, storage intrusion detection, and anomaly detection.
-
Self-service cloud computing
Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12, 2012Co-Authors: Sajid Butt, Shakeel Butt, Abhinav Srivastava, H. Andrés Lagar-cavilla, Vinod GanapathyAbstract:Modern cloud computing infrastructures use virtual machine monitors (VMMs) that often include a large and complex Administrative Domain with privileges to inspect client VM state. Attacks against or misuse of the Administrative Domain can compromise client security and privacy. Moreover, these VMMs provide clients inflexible control over their own VMs, as a result of which clients have to rely on the cloud provider to deploy useful services, such as VM introspection-based security tools. We introduce a new self-service cloud (SSC) computing model that addresses these two shortcomings. SSC splits Administrative privileges between a system-wide Domain and per-client Administrative Domains. Each client can manage and perform privileged system tasks on its own VMs, thereby providing flexibility. The system-wide Administrative Domain cannot inspect the code, data or computation of client VMs, thereby ensuring security and privacy. SSC also allows providers and clients to establish mutually trusted services that can check regulatory compliance while respecting client privacy. We have implemented SSC by modifying the Xen hypervisor. We demonstrate its utility by building user Domains to perform privileged tasks such as memory introspection, storage intrusion detection, and anomaly detection.
Kim-kwang Raymond Choo - One of the best experts on this subject based on the ideXlab platform.
-
Enhanced Network Support for Federated Cloud Infrastructures
IEEE Cloud Computing, 2016Co-Authors: Aniello Castiglione, Francesco Palmieri, Kim-kwang Raymond ChooAbstract:This article addresses the need for a new dedicated bandwidth paradigm that allows flexible orchestration of resources from different sites (for example, a manufacturing organization and its upstream and downstream vendors) joining a cloud without belonging to the same Administrative Domain (that is, it supports cross-Domain operations and advanced network support). The main design goal is to turn the network communication capabilities into virtualized resources that can be scheduled in conjunction with more traditional cloud resources and managed by a specific software layer within the federated (manufacturing) cloud system services to implement a service plane for use by cloud applications and resource-management services.
Spyros Denazis - One of the best experts on this subject based on the ideXlab platform.
-
technical infrastructure for a pan european federation of testbeds
Testbeds and Research Infrastructures for the DEvelopment of NeTworks and COMmunities, 2009Co-Authors: Sebastian Wahle, Thomas Magedanz, Anastasius Gavras, Halid Hrasnica, Spyros DenazisAbstract:The Pan-European laboratory - Panlab - is based on federation of distributed testbeds that are interconnected, providing access to required platforms, networks and services for broad interoperability testing and enabling the trial and evaluation of service concepts, technologies, system solutions and business models. In this context a testbed federation is the interconnection of two or more independent testbeds for the temporary creation of a richer environment for testing and experimentation, and for the increased multilateral benefit of the users of the individual independent testbeds. The technical infrastructure that supports the federation is based on a web service through which available testing resources can be queried and requested. The available resources are stored in a repository, and a processing engine is able to identify, locate and provision the requested testing infrastructure, based on the testing users' requirements. The concept is implemented using a gateway approach at the border of each federated testbed. Each testbed is an independent Administrative Domain and implements a reference point specification in its gateway.
-
TRIDENTCOM - Technical infrastructure for a Pan-European federation of testbeds
2009 5th International Conference on Testbeds and Research Infrastructures for the Development of Networks & Communities and Workshops, 2009Co-Authors: Sebastian Wahle, Thomas Magedanz, Anastasius Gavras, Halid Hrasnica, Spyros DenazisAbstract:The Pan-European laboratory - Panlab - is based on federation of distributed testbeds that are interconnected, providing access to required platforms, networks and services for broad interoperability testing and enabling the trial and evaluation of service concepts, technologies, system solutions and business models. In this context a testbed federation is the interconnection of two or more independent testbeds for the temporary creation of a richer environment for testing and experimentation, and for the increased multilateral benefit of the users of the individual independent testbeds. The technical infrastructure that supports the federation is based on a web service through which available testing resources can be queried and requested. The available resources are stored in a repository, and a processing engine is able to identify, locate and provision the requested testing infrastructure, based on the testing users' requirements. The concept is implemented using a gateway approach at the border of each federated testbed. Each testbed is an independent Administrative Domain and implements a reference point specification in its gateway.
Li Zhang - One of the best experts on this subject based on the ideXlab platform.
-
A Distributed Domain Administration of RBAC Model in Collaborative Environments
2006 10th International Conference on Computer Supported Cooperative Work in Design, 2006Co-Authors: Yahui Lu, Li ZhangAbstract:Role-based access control (RBAC) models have been successfully implemented in various information systems in recent years. However, the traditional centralized authorization and administration mechanisms in RBAC have several drawbacks in collaborative environments. In this paper, we propose a distributed Domain administration of RBAC model, DARBAC, in which the authorization and administration privileges are distributed to multiple Administrative Domains. Each Administrative role is assigned to an Administrative Domain and can only execute Administrative operations within its Domain. By introducing the concept of Administrative Domain and Administrative role hierarchy, the DARBAC model can flexibly meet the access control requirements in collaborative environments. We also describe how to implement the model in the PLM product and how to apply the model in a distributed enterprise environment to support cooperative work
-
CSCWD - A Distributed Domain Administration of RBAC Model in Collaborative Environments
2006 10th International Conference on Computer Supported Cooperative Work in Design, 2006Co-Authors: Yahui Lu, Li ZhangAbstract:Role-based access control (RBAC) models have been successfully implemented in various information systems in recent years. However, the traditional centralized authorization and administration mechanisms in RBAC have several drawbacks in collaborative environments. In this paper, we propose a distributed Domain Administration of RBAC Model, DARBAC, in which the authorization and administration privileges are distributed to multiple Administrative Domains. Each Administrative role is assigned to an Administrative Domain and can only execute Administrative operations within its Domain. By introducing the concept of Administrative Domain and Administrative role hierarchy, the DARBAC model can flexibly meet the access control requirements in collaborative environments. We also describe how to implement the model in the PLM product and how to apply the model in a distributed enterprise environment to support cooperative work.
Deborah Estrin - One of the best experts on this subject based on the ideXlab platform.
-
design of inter Administrative Domain routing protocols
ACM Special Interest Group on Data Communication, 1990Co-Authors: Lee Breslau, Deborah EstrinAbstract:Policy Routing (PR) is a new area of development that attempts to incorporate policy related constraints on inter-Administrative Domain (AD) communication into the route computation and forwarding of inter-AD packets. Proposals for inter-AD routing mechanisms are discussed in the context of a design space defined by three design parameters: location of routing decision (i.e., source or hop-by-hop), algorithm used (i.e., link state or distance vector), and expression of policy in topology or in link status. We conclude that an architecture based upon source routing, a link state algorithm, and policy information in the link state advertisements, is best able to address the long-term policy requirements of inter-AD routing. However, such an architecture raises several new and challenging research issues related to scaling.
-
SIGCOMM - Design of inter-Administrative Domain routing protocols
ACM SIGCOMM Computer Communication Review, 1990Co-Authors: Lee Breslau, Deborah EstrinAbstract:Policy Routing (PR) is a new area of development that attempts to incorporate policy related constraints on inter-Administrative Domain (AD) communication into the route computation and forwarding of inter-AD packets. Proposals for inter-AD routing mechanisms are discussed in the context of a design space defined by three design parameters: location of routing decision (i.e., source or hop-by-hop), algorithm used (i.e., link state or distance vector), and expression of policy in topology or in link status. We conclude that an architecture based upon source routing, a link state algorithm, and policy information in the link state advertisements, is best able to address the long-term policy requirements of inter-AD routing. However, such an architecture raises several new and challenging research issues related to scaling.
